- Trend Micro patches CVE-2026-34926, a moderate directory traversal flaw in Apex One (on-prem) that lets local administrators inject malicious code
- Despite requiring prior administrator access, the flaw is already being exploited in the wild, prompting urgent patching guidance
- CISA adds it to the KEV catalog, giving federal agencies until June 4, 2026 to update or discontinue use per BOD 22-01 directives
A dangerous vulnerability in Trend Micro’s Apex One product is being actively exploited in the wild, researchers have warned, urging users to apply the included patch as soon as possible.
Apex One is Trend Micro’s endpoint protection platform (EPP) built to protect enterprise devices from malware, ransomware, fileless attacks and various other cyber threats. It uses a combination of antivirus features, behavioral analysis, machine learning and EDR/XDR. It seems to be quite popular, with some sources counting the number of customers in the thousands.
The company has now released a patch for a directory traversal vulnerability in the local variant of Apex One, which could allow local actors (with administrative rights) to inject malicious code.
Capture of tokens
“A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations,” the NVD post reads.
“This vulnerability can only be exploited on the local version of Apex One, and a potential attacker would need access to the Apex One server and already obtained administrative credentials to the server via another method to exploit this vulnerability.”
The bug is now tracked as CVE-2026-34926 and has a severity rating of 6.7/10 (medium).
While this all points to a somewhat low-risk vulnerability, Trend Micro said it already saw “at least one” exploitation attempt.
We don’t know if one attempt is enough to be listed in CISA’s Known Exploited Vulnerabilities (KEV) database, but the US agency did just that. Last Thursday, CISA unveiled a new catalog entry that gave Federal Civilian Executive Branch (FCEB) agencies a deadline of June 4 to apply the patch or stop using Apex One altogether.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply restrictions according to the vendor’s instructions, follow applicable BOD 22-01 guidance for cloud services, or stop using the product if restrictions are not available.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
